Internet Security Tips for Activists

Indivisible members, this resource is being shared anonymously for our mutual information and protection. It is written by one of our members who invites us to share freely with other groups and individuals as needed.

In what follows, I differentiate between “casual” attacks and “directed” attacks. A casual attack is when you and a million other people receive malware via email, or are swept into a data theft from someone’s mailing list. A directed attack is when someone is attempting to gain access to your information, personally, either because of who you are or because of an organization you’re affiliated with.

There is some overlap, and so some of the same precautions apply to both.

Three Basic Steps

First, there are three basic steps that every internet user should take, regardless of who you are or how you use the internet. These will protect you from the majority of “casual” attacks, and many of the common “targeted” attacks as well.

Use strong, unique passwords.
If they’re strong enough, they’ll be hard to remember. There are several good password managers out there. (LastPass and 1Password are two of the largest.) Information about what a strong password is can be found here: https://ssd.eff.org/en/module/creating-strong-passwords

And then there are directed attacks.

As I said, the above precautions are still the first line of defense. John Podesta’s emails were hacked because (1) neither he nor the DNC technical support team recognized a phishing attack, and (2) he didn’t have two-factor authentication, so getting his password gave away all the goodies.

But, if you are or suspect you might be personally targeted, particularly by a government, there are many more levels of security you can consider. Lawyers, journalists, and others who might handle sensitive information about other people should be especially cautious, as should anyone considering civil disobedience of any kind. Remember that sharing information creates two vulnerabilities: the person receiving the information may provide a link back to you, and the person receiving the information may be personally targeted because they have it. Be mindful about what you share, with whom, and by what mechanism.

It was written for journalists working under repressive regimes, and simply reading the discussions of possible attacks will have you looking over your shoulder. A little paranoia is healthy: there are certain sites where I would never consider using an email address that could be traced back to me, and that I would never visit without an anonymizing browser.

But for most of us, operating at that level of security requires lifestyle changes that we’re not willing to make, and isn’t really necessary anyway.

The Electronic Frontier Foundation has a good discussion of threat modeling and discusses some specific situations where you might want to be especially cautious: https://ssd.eff.org/